Menu

Monthly Archives: November 2014

In previous article I have enabled MFA for user alsajid@salonovi.cz and now I will test its behavior, while MFA Enabled and Enforced

User setup

When I log on for the first time with new user or try to access https://portal.onmicrosoft.com with user with just enabled MFA, Login window will look different and after typing my password it will require to set up MFA.

Office 365 talks to you in your prefered language, you can choose mobile application or mobile phone or normal phone to contact and pick up whether to be contacted by SMS or phone call.

I choose Mobile phone and SMS, next and I am required to verify my device

I have received SMS code

Verification went OK and in next step I am warned, that my password will be working only in browser (1) and for other aplications named in (2) I need to generate App Passwords (3) or agree, that these applications will not be used for my account (4)

APP Passwords (support for thick clients)

To generate App Passwords I was redirected to Windows Azure Active Directory logon screen, where I have been MFAuthenticated via SMS 🙂

Now I can create App Passwords

Next is name of application and then the password is generated and displayed once. You must copy it to clipboard

Now use the password as you have used your password for Office 365 previously. So basically you use your App Password instead of your Office 365 password.

Described here. This is most important link for support persons on MFA enabled customer´s helpdesk:

Well so far so good but now , what I finally don´t like. Lets say, that App Passwords are need for not MFA ready apps..ok, you can define as much App Passwords as you want, you can name those, but you can use all of them to all aplications. That is a bit strange. I have generated two App Passwords and I was able to use both for LYNC client.

Options for MFA

First is full featured Azure MFA, which is paid (I don´t have Azure subscription nor want to pay for it, so I will use second option.

Second option is to use it for free for Office 365 application which means to enable it in Office 365 portal

How to enable MFA in Office 365 (Admin point of view)

Prerequisites are obvious. You must have working tenant, licenses, test users and so on. After all prerequisites are fulfilled, use the following:

Log on to tenant

In Office 365 admin center page go to Users -> Active Users and Set Up in Set Multi Factor Authentication requirements

Process consists of two steps. In first step you enable MFA for user. This allows user to start registration proces in which user select methods of additional verification. supported clients and browsers.

After MFA is enabled, provide user with a link to manage his MFA options. User can visit the link and manage his profile after successful sign in to Office 365

Enforce option is second step to force user, to use MFA after successful registration. Create APP Passwords for not supported clients such as Outlook as a second authentication factor besides username and password is described in part 2.

Enforce option is not enabled for admins for security reasons so do not use enforce options for admins, because it will force admins to use browsers only

While MFA is enabled, you can force user to re-create App Passwords by deleting old ones, provide contact info again and restore MFA for devices, which were previously suspended from MFA, because those devices were registered and user selected to skip MFA for known devices.